Peter Soulsby opens up to iTNews on the gaps in cyber contracts

With recent changes to Australian cybersecurity regulations, iTnews' sister publication techpartner.news invited cybersecurity providers from its MSP Index directory to nominate spokespeople to share their perspectives on what organisations should focus on when assessing cybersecurity contracts.

In a quickfire Q&A, Peter Soulsby, Brennan’s Head of Cybersecurity, warned organisations against thinking they can delegate their risk.

Q: Are you seeing a need for many organisations in Australia to update how they assess cybersecurity contracts? If so, why? And what is one thing they should focus on now?

Peter: Yes. Contracts are often too vague. Be specific in your ask in the contract. If you aren’t sure what you’re asking for, get an external party in to help. The parties you invite to respond to RFPs, then ultimately contract with, need to know what you’re after, with no surprises or ambiguity.

Q: Are you currently seeing a common cybersecurity contract blind spot or red flag you think is being missed too often?

Peter: The expectation that you can outsource your risk is a false and misleading one. Cybersecurity is a journey with joint accountability and responsibility between multiple parties. Contracts that try to ignore this will lead to failure for all parties’ privy to the contract.

Q: Are you seeing any significant tension between compliance requirements? And what’s practical to include in cybersecurity contracts?

Peter: Too often these days compliance requirements trump good cybersecurity practices, and contracts reflect that skewed priority. Lots of businesses are asking for the wrong thing as a result. We need to remember that compliance does not equal security.

Q: With CPS 230 and other regulatory pressures on third-party risk, are you seeing any knock-on effects for cybersecurity agreements?

Peter: Third-party risk assessments, and now even fourth-party risk assessments (the supply chain of your supply chain) are coming more into focus. We need to think of a more pragmatic way of assessing this risk. Questionnaires with hundreds of possible answers are onerous and should be avoided.

Q: Do you see any unresolved issues when it comes to how cybersecurity contracts cover SaaS data protection – such as with Xero, HubSpot, Salesforce or other common tools?

Peter: I do. This is still too reliant on the assumption that a contract and a big SaaS provider is good enough. If the SaaS provider houses data and or processes which are core to your business, you need to go further than a contract and use tools that dynamically assess third-party risk.

Q: Incident response and recovery can make or break a cybersecurity partnership. What’s one contractual clause organisations should insist on, particularly with ransomware reporting now in focus?

Peter: Organisations often focus on outsourcing their risk, especially with cybersecurity. I’d argue that a key clause missing in contracts is ensuring cybersecurity providers hold their clients to account, as opposed to the other way round. Cybersecurity providers know what good looks like. The contract should ensure that they are consistently sharing best practices with their clients.

Q: Are cybersecurity contracts keeping pace with the reporting and assurance needs of boards and business leaders – or are they still too IT-focused?

Peter: No. Neither is the reporting or metrics on contracts. However, often the more modern contract clauses are not practical or ready to be implemented, so it’s a bit of a chicken and egg race at the moment.

Q: Are cyber insurance requirements reshaping what goes into contracts. And if so, what should clients be watching for?

Peter: Yes, they absolutely are. Few organisations know what they get when they sign up for cyber insurance. There is often an overlap in what they ask the market for in RFPs, such as incident response. As such, there is often duplication of spend and conflicting roles. Organisations need to know what cyber insurance gives them. It’s often a lot more than they realise.

Q: What’s a smart way for organisations to balance both holding partners accountable while respecting their need to limit liability?

Peter: Don’t think for a second that you can outsource your risk. By doing so, you enter into contracts that have no meaning in practical and legal terms, and you abdicate your responsibility as a business. By engaging cybersecurity providers, you get the best of what’s available in the market, but you don’t remove your risk.

Q: For small businesses under real cost pressure, what’s the most effective way to structure cybersecurity partner contracts?

Peter: Before entering a contract, ask yourself if it’s necessary. Spending your budget on three contracts and doing them well is better than divvying up the same budget on six contracts and doing them poorly. When you’re sure you are investing in the right contract and capability, work with the provider to ensure the terms are mutually beneficial. Don’t sour the relationship with the provider before it has started.

This feature originally appeared on iTNews, 19 August 2025.